You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[security] stomp.py in versions older than 4.1.12 always uses the old ssl.wrap_socket() API which has no support for server name indication (SNI) and hostname matching (newer versions of stomp.py use more modern ssl.SSLContext-related APIs if possible).
[security] By default, stomp.py in versions 8.0.0. and 8.0.1 (8.x.x older than 8.1.0) mistakenly does not perform hostname matching (an ssl.SSLContext in constructed manually, with protocol set to ssl.PROTOCOL_TLS which does not provide automatic hostname matching -- contrary to ssl.PROTOCOL_TLS_CLIENT which is used in the version 8.1.0 of stomp.py).
In the implementation of the aforementioned bots, various versions of stomp.py require different code paths -- see the if statements checking for (or related in other ways with) versions: <4.1.20, >=4.1.21, >=5.0.0, >=6.1.0. Restricting the version of stomp.py to a newer one would make it possible to simplify the code (and probably also make it more correct/reliable...1).
Footnotes
In particular, after some superficial tests it seems to me that disconnects/reconnects are not handled properly by the collector bot when the version of stomp.py is older than 4.1.204.1.21 (although I admit I haven't investigated it more deeply...). ↩
The text was updated successfully, but these errors were encountered:
This is an important thing and a hard problem to solve on the IntelMQ base. I think that because we are focused on keeping the compatibility, it's not easy for us to just set the required versions as higher. This is also because IntelMQ is partially shipped as a native package, where it's not always clear, which dependencies are available or expected by other software on the machine.
Thous, we have to allow dependencies to work with newer, upgraded version, but the responsibility to install them with the most secure version is on the system administrator. We can however advise doing so. What would you say about adding such a check in the bots' check method and generate a warning if the dependency (here: stomp.py) is older than recommended?
On the other hand, I see the situation differently for Docker images, where we control the environment and ship the working solution - as so, we should also keep the dependencies safe. This is not done yet, but my personal plan is to keep up-to-date (in meaning of security updates) dependencies in our images.
Thous, we have to allow dependencies to work with newer, upgraded version, but the responsibility to install them with the most secure version is on the system administrator. We can however advise doing so. What would you say about adding such a check in the bots' check method and generate a warning if the dependency (here: stomp.py) is older than recommended?
The security problems mentioned in this ticket's description would be fixed by merging the PR #2414. So then, I think, this ticket can be closed as fixed.
Rationale:
stomp.py
in versions older than4.1.12
always uses the oldssl.wrap_socket()
API which has no support for server name indication (SNI) and hostname matching (newer versions ofstomp.py
use more modernssl.SSLContext
-related APIs if possible).stomp.py
in versions8.0.0.
and8.0.1
(8.x.x
older than8.1.0
) mistakenly does not perform hostname matching (anssl.SSLContext
in constructed manually, with protocol set tossl.PROTOCOL_TLS
which does not provide automatic hostname matching -- contrary tossl.PROTOCOL_TLS_CLIENT
which is used in the version8.1.0
ofstomp.py
).stomp.py
require different code paths -- see theif
statements checking for (or related in other ways with) versions:<4.1.20
,>=4.1.21
,>=5.0.0
,>=6.1.0
. Restricting the version ofstomp.py
to a newer one would make it possible to simplify the code (and probably also make it more correct/reliable...1).Footnotes
In particular, after some superficial tests it seems to me that disconnects/reconnects are not handled properly by the collector bot when the version of
stomp.py
is older than4.1.20
4.1.21
(although I admit I haven't investigated it more deeply...). ↩The text was updated successfully, but these errors were encountered: